Gary Thuerk’s 1978 ARPANET email still explains the spam problem

On May 3, 1978, Gary Thuerk, a marketer at Digital Equipment Corporation, sent an unsolicited promotional email across ARPANET, the research network that preceded the public internet. The message advertised DEC’s DECSYSTEM-20 family and invited recipients to product demonstrations. It reached roughly 400 accounts, depending on the count used by each historical source, and it produced complaints almost at once. The first widely cited commercial spam email was not a criminal trick. It was a sales pitch that showed how easily a trusted network could be used against the expectations of its own users. Computer History Museum identifies the date and the DEC product pitch as the earliest known case of spam, while Guinness World Records records the event as the oldest electronic spam and gives a precise count of 397 accounts.

A sales pitch that exposed the inbox’s weakest idea

ARPANET, short for the Advanced Research Projects Agency Network. It began as a packet-switched research network funded by ARPA, the U.S. agency now known as DARPA. DARPA’s own account places the first computer-to-computer signal between UCLA and the Stanford Research Institute on October 29, 1969. By 1978, ARPANET was still small enough that many addresses were known through printed directories, yet developed enough that one message could reach people across institutions and time zones. That combination — small-community trust plus network-scale distribution — is the central fact behind Thuerk’s email.

The message matters because it was early evidence of a problem the internet still has not solved cleanly. Email was built around delivery, not consent. The network tried to move messages from one place to another; it did not begin with a strong social contract about commercial targeting, user permission, identity verification, or inbox rights. Jon Postel’s 1975 RFC 706, “On the Junk Mail Problem,” had already warned that ARPANET hosts lacked a mechanism to selectively refuse unwanted messages and that unwanted traffic could waste processor time and network capacity. Thuerk did not invent that technical weakness. He made it visible to ordinary network users.

The 1978 email also complicates the popular story of spam. It was not called “spam” at the time. That label became attached to online abuse later, drawing from the Monty Python sketch and spreading through online communities before exploding in public use after the 1994 Canter and Siegel “green card” mass posting on Usenet. Brad Templeton, one of the most cited historians of the term, traces that naming history to repeated, unwanted messages that drowned out normal communication. The first spam email and the word “spam” belong to different moments. The behavior arrived before the name.

That distinction is more than trivia. It explains why spam became hard to govern. Networks usually recognize abuse after someone demonstrates it. By then, the technical affordance already exists, the incentive is visible, and the boundary between permitted use and exploitation becomes contested. Thuerk saw a cheaper way to reach likely customers. Recipients saw an unwanted commercial intrusion on a research network. Both interpretations were rooted in the same new capability: one sender could reach many people with little marginal cost.

The network was built for trusted researchers, not mass advertising

ARPANET was not a consumer service. It was a working research system used by universities, contractors, government-linked laboratories, and technical communities. The Internet Society’s historical account stresses that the early network grew from packet switching research, resource sharing, open documentation, and collaboration among researchers and engineers. Its culture mattered as much as its hardware. People who used ARPANET were not customers in the modern platform sense; they were participants in a shared technical environment.

That matters because the first spam email did not enter a neutral marketplace. It entered a community with norms. ARPANET users expected serious research, technical coordination, and professional communication. A commercial product demonstration invitation, even from a major computer company, cut across those expectations. Some recipients were potential buyers or technical evaluators. Others saw the message as a misuse of a government-funded network.

The early internet’s architecture favored openness. That openness had real benefits. It made collaboration easier, lowered barriers to experimentation, and allowed useful services to grow without central approval. Email itself became one of the defining applications because it matched the needs of a distributed research culture. The same openness also made the network poor at saying no. ARPANET could deliver a message, but it could not easily ask whether hundreds of recipients wanted the message in the first place.

This is the pattern that would repeat for decades. A communication tool starts with trust among a narrow group. The group grows. The cost of sending falls. The sender’s incentive separates from the recipient’s experience. Abuse then moves faster than the rules. Once the network becomes big enough, the damage is no longer only annoyance. It becomes fraud, malware distribution, phishing, brand impersonation, and business email compromise.

Thuerk’s case is striking because it appeared before the consumer internet, before cheap domain registration, before botnets, before malware-driven spam operations, and before email authentication standards. Yet the basic economic logic was already there. A sender with a list and a tool could reach many people faster than through calls, letters, or separate messages. If even a few recipients responded, the sender’s campaign could look successful.

The social cost, however, fell on everyone else. Recipients had to read, reject, complain, or clean up the intrusion. System administrators had to handle the reaction. Network stewards had to decide whether this was clever use or abuse. That asymmetry — private gain, shared cost — remains the spam economy’s core mechanism.

Gary Thuerk’s pitch was specific, not random

Thuerk’s email was not a vague scam blast. It was a targeted business announcement. DEC wanted to promote the DECSYSTEM-20 family, including systems with ARPANET support under TOPS-20. The Guardian’s account preserves part of the original message, describing DEC product presentations for the DECsystem-20 family, including the 2020, 2020T, 2060, and 2060T. Guinness World Records records the invitation as a product demonstration for the DECSYSTEM-2020, 2020T, 2060, and 2060T.

That detail matters. Modern readers often imagine the first spam as a crude fraud. It was closer to early account-based marketing. Thuerk wanted to reach ARPANET users on the U.S. West Coast because they were technically relevant prospects for DEC equipment. Brad Templeton’s account says DEC was stronger on the East Coast and that Thuerk wanted to reach West Coast contacts for open houses around the DEC-20. This was not random targeting. It was unwanted targeting.

The difference between those two ideas still shapes email policy. A message can be relevant and still be unsolicited. A sender can believe a recipient will benefit and still violate the recipient’s expectations. A product can be legitimate and still arrive through a channel that users consider inappropriate. Spam is not defined only by bad products or fraud. It is also defined by permission, context, volume, identity, and control.

The 1978 message was also bound to the technology of its day. Accounts were scarce, addresses were often found in directories, and the act of sending to hundreds of people took effort. The story has become famous partly because it sits at the awkward boundary between manual communication and network automation. It was not the one-click bulk email workflow of later marketing software. Yet it showed that once a list and a transport mechanism exist, scale begins to tempt the sender.

That temptation did not require malice. Thuerk reportedly defended the message as useful information about a relevant product. The problem is that networks do not scale on the sender’s intent alone. They scale through shared standards, enforcement, user trust, and predictable limits. The moment one sender treats every address as reachable inventory, every other sender can do the same.

Recipient count is less settled than the lesson

The most repeated number is “about 400.” Computer History Museum says the message was sent on May 3, 1978, and describes unsolicited bulk email as spam, tying the incident to a DECSYSTEM-20 promotion. Guinness World Records gives 397 email accounts and a timestamp of 12:33 EDT on May 3. Wired says the message was written on May 1 and sent two days later to more than 400 ARPANET addresses. The New Yorker describes Thuerk selecting 600 West Coast addresses, while the sent message reached fewer than that because of practical limits and addressing problems.

Those differences are not a reason to dismiss the story. They reveal something about early network history: logs, directories, oral accounts, and later reconstructions do not always line up perfectly. For a news analysis article, the careful formulation is this: Gary Thuerk’s May 3, 1978 DEC promotion is the first widely documented commercial spam email, sent to roughly 400 ARPANET accounts. That phrasing reflects the strongest consensus while avoiding false precision.

The difference between 393, 397, 400, or more than 400 does not change the significance. The event showed that a single sender could use email as a mass commercial channel before there was a public internet, before email became a household tool, and before anti-spam law existed. It also showed that user backlash could appear instantly when the social meaning of a channel changed without consent.

The same caution applies to the phrase “first spam email.” There were earlier examples of unwanted electronic messaging in narrower systems, and Postel’s 1975 RFC proves that “junk mail” was already a known network concern before Thuerk’s pitch. Thuerk’s place in history is more precise: his message is the first famous, well-documented commercial bulk email on ARPANET. It is the ancestor of commercial spam as an internet-era problem, not necessarily the first unwanted digital message ever sent by any system.

Precision protects the story from myth. The myth says one man invented spam. The stronger version says one man’s campaign exposed a structural weakness that many others later exploited at far greater scale. Spam was not born from a single personality flaw. It was born from a communication system where sending was cheap, identity was weak, and refusal was hard.

The backlash arrived before the business case faded

The reaction to Thuerk’s email was fast and hostile. Computer History Museum notes that one recipient claimed the message shut down his system. The New Yorker quotes recipient complaints that treated the message as a violation of ARPANET norms and says Thuerk was reprimanded. It also reports that DEC sold more than twenty systems at about a million dollars each.

That pairing — complaints and sales — is the hinge of the whole story. Spam survives when the sender’s upside remains visible even after recipients object. If a campaign produces revenue, leads, notoriety, or any measurable gain, the sender has a reason to repeat it or refine it. The recipient’s irritation becomes just another cost, especially when that cost is not paid directly by the sender.

This is why the first spam email still feels modern. Many commercial senders operate inside legal boundaries, use consent-based lists, honor unsubscribes, authenticate their domains, and monitor complaint rates. Bad actors do the opposite. Between those poles lies a grey zone: aggressive outreach, scraped addresses, purchased lists, thin consent, misleading personalization, and campaigns that depend on volume rather than trust. The old ARPANET dispute still lives there. A sender says, “These people might care.” A recipient says, “I did not ask for this.”

The backlash also shows that network culture can recognize abuse before law does. There was no CAN-SPAM Act in 1978. There were no Gmail bulk sender guidelines. There was no DMARC. Yet users understood that something had changed. A shared channel had been used for commercial reach at a scale that did not match its norms.

That reaction is not anti-business. It is pro-context. A product demonstration invitation might be welcome in a trade publication, a direct letter, a conference booth, or a message to an opted-in contact. The same content becomes intrusive when sprayed across a research network’s directory. Spam is often a context failure before it is a content failure.

Email became the internet’s first killer application and its first abuse surface

Ray Tomlinson sent the first network email in 1971 between two BBN-TENEXA machines and chose the “@” address structure that still defines email addressing. The Eduard Rhein Foundation’s account notes that by 1973 email already made up 75 percent of ARPANET traffic. The Internet Society also treats electronic mail as one of the most influential early internet applications and connects it to the development of protocol specifications and engineering collaboration.

The reason is plain. Email matched the work style of networked researchers. It was asynchronous, written, searchable, easy to forward, and useful across institutions. It lowered coordination costs. People could discuss technical problems without being on the same machine, in the same room, or on the same schedule.

Those same traits made email attractive to marketers and criminals. A tool that reaches across institutions can reach prospects. A tool that allows forwarding can spread rumors and scams. A tool that stores written records can carry invoices, password reset links, legal notices, shipping alerts, job offers, and executive instructions. A tool that users check often becomes a high-value attack channel.

The inbox became powerful because people trusted it. Spam became powerful because attackers learned to rent that trust. That is the direct line from ARPANET’s DEC announcement to modern phishing, spoofing, credential theft, fake invoices, and business email compromise. The first case was not malicious in the modern criminal sense, but it marked the same boundary crossing: the sender used the reach of email for the sender’s purpose, while recipients bore the filtering burden.

Email’s durability also makes spam durable. Many technologies from the 1970s disappeared or became niche. Email did not. It became embedded in identity, commerce, work, government, account recovery, legal notices, healthcare portals, banking alerts, and marketing automation. Even services that claim to replace email usually depend on email for account setup or recovery. That makes the inbox hard to abandon and hard to redesign from scratch.

A technical system with such backward compatibility cannot be fixed by one clean break. Anti-spam defenses have to preserve legitimate mail while rejecting abuse. That is harder than blocking a known bad domain or filtering one word. Legitimate and malicious messages use the same rails. A bank sends real alerts; criminals imitate them. A vendor sends real invoices; attackers spoof them. A recruiter writes to a candidate; scammers copy the format. The spam problem is therefore tied to email’s success.

Jon Postel had already named the junk mail problem

The most revealing document in the pre-Thuerk history is RFC 706, published in November 1975 by Jon Postel. Its title, “On the Junk Mail Problem,” is blunt. It says the ARPA Network Host/IMP interface protocol had no mechanism for a host to selectively refuse messages, meaning a host that wanted some messages had to read all addressed messages. It warned that a misbehaving host could send many messages and create a denial of service against users and the network.

That document makes two points that still matter. First, the “junk mail” problem was not invented by marketers. Engineers had already seen that unwanted traffic could harm shared resources. Second, Postel framed refusal as a technical capability. A healthy network needed a way to decline messages from sources that were misbehaving or annoying.

The history of spam can be read as a long effort to retrofit that refusal into email. Blocklists, spam folders, sender reputation, Bayesian filtering, SPF, DKIM, DMARC, complaint feedback loops, unsubscribe standards, rate limits, domain reputation, machine learning, and legal penalties all represent different ways of saying no. None is perfect because email sits across many administrative domains. The sender, sending service, receiving server, user interface, domain owner, and recipient all play different roles.

Postel’s insight was that unwanted communication is not just a social problem. It is also a resource allocation problem. CPU time, network throughput, storage, administrator attention, user attention, and trust all get consumed. In 1975, those resources were scarce in obvious ways. In 2026, storage and bandwidth are cheaper, but attention and trust are scarcer than ever.

The denial-of-service angle also looks prescient. Modern spam campaigns may not always crash systems, but they can overwhelm defenders, bury real messages, poison user habits, and train people to ignore warnings. In large organizations, email noise has operational cost. Employees miss legitimate alerts, security teams triage floods of reports, and domain owners manage authentication failures. The harm is not only that a bad message arrives. It is that the entire environment becomes harder to trust.

The word “spam” came later and carried a cultural judgment

The term “spam” is often traced to Monty Python’s famous sketch, where the word is repeated until it overwhelms normal conversation. Brad Templeton’s history explains that the internet meaning grew from the idea of repetition to the point of annoyance, with roots in online communities before the term gained broad public force. The 1994 Canter and Siegel “green card” Usenet posting did not coin the term, according to Templeton, but it pushed the word into much wider use because the ad was deliberately mass-posted across thousands of newsgroups.

That naming history tells us something useful. The problem was not only unsolicited advertising. It was the drowning out of a shared space. Spam described a message that repeated so much, or appeared so out of place, that it degraded the channel itself. The word carried irritation, not just taxonomy.

This is one reason spam remains hard to define in law. Users experience spam as a mix of unwantedness, volume, deception, irrelevance, repetition, and loss of control. Law tends to need narrower categories: commercial purpose, false headers, deceptive subject lines, opt-out rights, address harvesting, unauthorized relays, and sender responsibility. The legal definition cannot capture every social irritation without risking overreach.

The 1978 Thuerk email sits before that vocabulary. Recipients could complain that it was inappropriate, commercial, disruptive, or against the network’s spirit, but they did not yet have the shared shorthand of “spam.” Once the word arrived, it gave users a common label for a wide class of abuse. Labels matter because they allow complaints to scale. “I got an unwanted DEC ad” is a specific grievance. “This is spam” is a category.

Yet the label also creates confusion. People now use spam for legal marketing they dislike, outright fraud, malware campaigns, political blasts, nuisance newsletters, and cold sales outreach. For publishers, marketers, and security teams, that matters. A message can be legally compliant and still be treated as spam by recipients and inbox providers. Permission, expectation, relevance, frequency, and easy refusal matter because the user’s judgment helps drive filtering systems.

The first spam email was also an early test of commercializing the network

The early internet did not become commercial overnight. It moved through research, standards development, government support, university use, vendor adoption, NSFNET growth, and eventual private internet service markets. The Internet Society’s history describes commercialization as a phase that included vendors implementing internet technology and private network services taking over national-scale connectivity, with ARPANET decommissioned in 1990 after TCP/IP had spread widely.

Thuerk’s 1978 email appeared long before that mature commercial phase. That is why it caused friction. DEC was a legitimate computer company selling serious systems to technical buyers, and ARPANET users were exactly the kind of people who might understand the product. Yet ARPANET was not built as an ad channel. The network’s purpose, funding, and culture made the commercial use feel like an intrusion even when the product itself was relevant.

This tension would later become central to the public internet. Commercial activity funded enormous growth. Advertising, ecommerce, cloud services, online media, search, social platforms, and software distribution all depend on network commercialization. At the same time, commercial incentives drive tracking, inbox overload, manipulative design, affiliate fraud, lead generation abuse, and mass outreach.

The internet’s commercial success did not eliminate the old ARPANET question. It made the question bigger: who gets to use a shared communication channel for private gain, and under what rules? The answer has never been one rule. It has been a patchwork of protocol standards, provider policies, laws, user controls, reputation systems, and business norms.

Email marketing, when done well, became a legitimate industry. Transactional emails, newsletters, product updates, event invitations, receipts, alerts, and lifecycle campaigns are part of normal digital business. The line between useful and abusive is not the mere presence of commerce. It is whether the sender respects consent, identity, relevance, frequency, and exit rights.

Thuerk’s message is worth remembering because it was commercially rational and socially contested at the same time. That combination is exactly what still makes spam persistent. If every spam message were useless to the sender, spam would disappear. If every commercial message were clearly abusive, policy would be easier. The hard cases live in the middle, where senders claim relevance and recipients reject the intrusion.

The economics of spam were visible from the first campaign

Paper mail charges the sender for printing, postage, and handling. Phone calls cost time and sometimes money. In-person sales requires travel and scheduling. Email changed that arithmetic. Once the list exists and the tool can address multiple recipients, sending one more message costs almost nothing. The cost shifts toward recipients, networks, and filters.

The New Yorker’s account of Thuerk’s campaign captures the early version of this logic: he wanted to reach West Coast technical contacts without calling or individually messaging hundreds of people. The idea was efficient from the sender’s side. It was intrusive from the recipient’s side. That asymmetry is the whole spam economy in miniature.

Modern spam multiplied that asymmetry through automation. Botnets, compromised accounts, bulletproof hosting, throwaway domains, URL shorteners, obfuscated text, image-based payloads, and generative text all reduce the sender’s cost or increase evasion. Defenders then spend money on filters, staff training, incident response, authentication, monitoring, and recovery. Users spend attention.

Spam is a tax on trust. The sender pays little to test whether a message will work. Everyone else pays to decide whether the message is safe, wanted, lawful, and real. That is why spam persists even when filter accuracy is high. A tiny success rate can support the attacker if the sender’s cost per attempt is low enough.

The same logic applies to low-grade commercial spam and high-stakes fraud. A cold outreach campaign may need only a few replies to justify itself. A phishing campaign may need one credential. A business email compromise campaign may need one finance employee to approve one transfer. The economics reward scale and persistence.

Email providers fight this by raising sender costs. Authentication requirements force domain owners to configure SPF, DKIM, and DMARC. Reputation systems punish poor complaint rates. Rate limits slow suspicious sending. Laws add penalties for deception and unauthorized sending. User interfaces add report buttons and unsubscribe links. Each defense makes abuse less cheap, less anonymous, or less durable.

That is the real policy lesson from 1978. Moral appeals are not enough. If the system makes abuse cheap and profitable, abuse grows. The solution is to change the cost curve: make wanted mail easier to prove, unwanted mail easier to reject, deceptive mail easier to punish, and compromised infrastructure harder to exploit.

Modern anti-spam law arrived after the inbox was already crowded

The United States did not pass its national commercial email law until 2003. Congress.gov records S.877, the CAN-SPAM Act of 2003, becoming Public Law No. 108-187 on December 16, 2003. The congressional summary says the law recognized a government interest in regulating commercial electronic mail, declared that senders should not mislead recipients about source or content, and stated that recipients have a right to decline further spam from the same source.

The Federal Trade Commission’s business guide explains the practical duties: accurate header information, non-deceptive subject lines, identification of advertising, a valid physical postal address, an opt-out method, prompt honoring of opt-outs within 10 business days, and responsibility for vendors sending on a company’s behalf. The FTC also states that each separate violating email may face penalties up to $53,088.

CAN-SPAM is often misunderstood. It did not ban all unsolicited commercial email. It created rules for commercial messages and enforcement tools against deception and abuse. That approach reflects a policy compromise. A total permission-only model would have sharply limited cold commercial email. A no-rule model would have left recipients with little formal protection. CAN-SPAM chose a middle path: commercial email can be sent if it follows rules and gives recipients a way out.

Critics have long argued that this was too weak, because it permits unsolicited commercial email until the recipient opts out. Supporters argue that it gives businesses a clear federal standard while targeting deception, fraud, and refusal to honor opt-outs. Whatever one thinks of the law, it shows how far the internet had moved from ARPANET’s informal norms. By 2003, spam was no longer a breach of etiquette on a research network. It was a mass-market legal and enforcement problem.

Law arrived after technical and economic behavior had already hardened. That pattern recurs in internet policy. First comes the capability. Then comes use. Then abuse. Then social backlash. Then provider rules. Then law. By the time law arrives, abuse has often moved again.

This is why modern inbox protection depends on both law and engineering. CAN-SPAM can penalize deception, but it cannot alone decide in milliseconds whether a message should reach Gmail, Outlook, Yahoo, or a corporate inbox. That decision belongs to filters, authentication checks, reputation systems, and user signals.

Provider rules now function like private email law

The most powerful anti-spam rules today are often written not by legislatures but by mailbox providers. Gmail, Outlook, Yahoo, Apple, and large enterprise systems decide which messages reach inboxes, which land in spam folders, and which get rejected. Their rules shape marketer behavior globally because senders need access to their users.

Google announced in October 2023 that starting in 2024, bulk senders would need to authenticate email, allow easy unsubscribe, and stay under a reported spam threshold. Google also said Gmail’s defenses block more than 99.9 percent of spam, phishing, and malware from reaching inboxes and block nearly 15 billion unwanted emails each day. Google’s sender guidelines require all senders to use SPF or DKIM and require bulk senders to use SPF, DKIM, and DMARC. They also warn that unauthenticated messages may be rejected or marked as spam.

Microsoft followed the same direction for Outlook. Its 2025 high-volume sender requirements call for mandatory SPF, DKIM, and DMARC settings, reflecting the broader industry shift from optional best practice to enforced baseline.

These provider rules show a major shift. The old internet email model accepted mail first and sorted it later. The newer model asks senders to prove more before delivery. That proof includes domain authentication, alignment, working unsubscribe, complaint discipline, and clean infrastructure. Inbox access has become conditional. Reach is no longer granted merely because a sender knows an address.

For legitimate senders, this raises operational standards. Email marketing is no longer only copy, segmentation, and design. It is DNS configuration, authentication alignment, list hygiene, bounce management, domain reputation, consent records, and complaint monitoring. A brand that treats email as a cheap broadcast channel risks deliverability failure, even when its content is lawful.

For abusive senders, provider rules raise the cost of disguise. They do not end abuse. Attackers still compromise real accounts, exploit forwarding paths, register lookalike domains, use trusted cloud infrastructure, and test filters. But authentication makes many old spoofing tactics harder. It also gives domain owners visibility into who is sending in their name.

SPF, DKIM and DMARC are retrofits for a system that trusted too easily

Email’s basic transport model was not designed with strong sender identity. SMTP, standardized in RFC 821 in 1982 and later updated by RFC 5321, focuses on mail transport between sending and receiving systems. RFC 5321 describes SMTP as the basic protocol for internet electronic mail transport and notes that it consolidates and updates prior documents, including RFC 821. The original model trusted senders more than modern threat conditions allow.

SPF, DKIM, and DMARC are not replacements for email. They are layered controls. SPF lets a domain publish which hosts may send mail for it. RFC 7208 says existing protocols place no restriction on what a sending host can use as the MAIL FROM identity or HELO/EHLO domain, and SPF lets domains authorize hosts so receivers can check that authorization. DKIM adds a cryptographic signature tied to a signing domain, letting a domain claim responsibility for a message and allowing receivers to validate that claim through DNS. DMARC connects authentication to the visible From domain and lets domain owners publish policies telling receivers what to do with messages that fail checks, from monitoring to quarantine to rejection.

NIST describes these mechanisms as part of IETF efforts to secure email infrastructure: SPF for source authentication, DKIM for message integrity authentication, and DMARC for domain-owner feedback on those methods.

Core email authentication controls

These controls matter because they turn identity from a claim into a test. They do not decide whether a message is useful, welcome, or honest, but they give receivers stronger evidence about whether the sender is authorized to use the domain shown to the recipient.

The phrase “retrofit” is not an insult. It is the honest engineering reality. Email became too useful to replace, so the industry layered authentication onto it. That has strengths and weaknesses. It preserves compatibility and allows gradual adoption. It also creates complex edge cases around forwarding, mailing lists, third-party senders, subdomains, and misconfigured DNS.

The modern anti-spam stack is not one filter. It is a chain of partial proofs. Each proof lowers risk in one area while leaving others open. SPF does not stop a compromised authorized server. DKIM does not make a fraudulent message morally legitimate. DMARC does not stop lookalike domains. Machine learning does not replace authentication. User training does not fix domain spoofing. Good defense uses the pieces together.

Spam evolved from nuisance into cybercrime infrastructure

The first spam email asked recipients to attend a product demonstration. Modern spam often carries credential theft, malware, fake invoices, ransomware lures, investment scams, romance fraud, and business email compromise. The FBI’s 2024 Internet Crime Report press release said IC3 received 859,532 complaints of suspected internet crime and reported losses exceeding $16 billion, a 33 percent increase from 2023. Those figures are not all email-driven, but email remains a major channel for fraud and social engineering.

CISA defines phishing as attempts by criminals to get people to open harmful links, emails, or attachments that may request personal information or infect devices. That definition shows the shift from unwanted messaging to active compromise. The inbox is no longer only a place where annoying messages waste time. It is a front door to identity, systems, money, and operational control.

This shift is visible in the language of security teams. They talk about initial access, payload delivery, credential harvesting, spoofing, impersonation, malware execution, and account takeover. The spam message is only the carrier. The real goal may be a login token, a wire transfer, a malicious OAuth grant, or persistence inside a company’s cloud environment.

Spam became infrastructure for fraud because email sits at the center of trust workflows. A bank uses email. A software vendor uses email. A government agency uses email. A CEO uses email. A school uses email. Attackers do not need to invent a new channel if they can imitate an existing trusted one.

That does not make every spam message a cyberattack. Many are merely unwanted promotions. But the defensive burden has to assume worst-case possibilities because one missed malicious message can have far greater consequences than a missed coupon. This imbalance pushes mailbox providers toward stricter filtering and pushes legitimate marketers toward better proof of permission and identity.

The result is an arms race that started, in a mild form, with Thuerk’s sales pitch. Each time senders find a way to reach users cheaply, defenders build a way to sort, authenticate, block, or punish. Each defense creates new incentives for evasion. The history of spam is the history of email becoming too useful to trust casually.

The first spam email was not phishing, but it opened the same door

It would be inaccurate to call Thuerk’s 1978 email phishing. It did not try to steal passwords, impersonate a bank, install malware, or trick recipients into sending money. It named a real company and advertised real product demonstrations. The connection to phishing is structural, not moral. Thuerk showed that email could be used to push a sender’s agenda into many inboxes at once; criminals later used the same reach for deception.

Phishing depends on three email traits. The message arrives in a space users already trust. It can imitate a known institution. It can ask the recipient to act quickly: click, sign in, open, approve, reply, transfer, or reset. Spam supply chains refine those traits through volume, targeting, impersonation, and testing.

Modern phishing is less crude than the old stereotype of misspelled scam messages. Attackers use real brand templates, clean grammar, compromised accounts, QR codes, cloud document links, fake collaboration notices, and adversary-in-the-middle techniques. Generative AI makes plausible variation cheaper. It also reduces the old language signals that filters and users once relied on.

Research into phishing defenses reflects this complexity. A 2022 systematic literature review of anti-phishing defenses describes categories such as blocklists, heuristics, content analysis, visual approaches, machine learning, and proactive methods, while noting that sophisticated attacks may not rely on a simple link-click path at all. A 2024 paper on AI-generated phishing emails argues that generative AI can create different messages for different victims, making pattern-based detection harder, while also creating new detection signals for trained models.

This is the modern form of the 1978 lesson. A message’s danger is not only in the content. It is in the relationship between sender identity, recipient expectation, delivery path, timing, and requested action. A harmless-looking calendar invite can be malicious. A routine invoice can redirect payment. A vendor email can be real but sent from a compromised account.

The first spam email was a primitive use of reach. Phishing is reach plus deception. Business email compromise is deception plus process exploitation. Ransomware delivery is deception plus malware. The ladder is long, but the first rung is the same: one sender gets inside the recipient’s workflow.

Cold outreach still lives in Thuerk’s shadow

Sales teams often see cold email as ordinary business development. Recipients often see it as inbox pollution. Both views can be sincere. A founder searching for customers, a recruiter contacting a candidate, or a vendor inviting a technical buyer to a webinar may believe the message is relevant. The recipient may still feel that their address was taken, their attention was presumed, and their inbox was treated as a free distribution channel.

This is Thuerk’s dilemma in current form. The message may be targeted. The product may be real. The sender may not be hiding. Yet the recipient’s consent may be weak or absent. The more senders use personalization software, enrichment tools, scraped databases, and automated follow-up sequences, the more cold outreach begins to resemble industrialized interruption.

Legal compliance does not settle the trust question. CAN-SPAM allows certain unsolicited commercial messages if they meet requirements. Mailbox providers may still filter them. Recipients may still report them. Corporate security gateways may still treat them as suspicious. The inbox is governed by three overlapping authorities: law, provider policy, and user tolerance. A campaign has to survive all three.

This creates practical consequences for brands. Sender reputation is not only a technical score. It is a measure of whether recipients behave as though they expected the message. Opens, replies, deletions, spam reports, bounces, unsubscribe patterns, and complaint rates feed into deliverability. Bad outreach does not merely annoy prospects; it damages future mail from the same domain or infrastructure.

The cleanest strategic answer is not “never send commercial email.” It is to treat permission as an asset and interruption as debt. A sender who earns subscriptions, sets expectations, sends relevant messages, authenticates properly, and makes refusal easy is building deliverability. A sender who buys lists, hides identity, over-automates follow-ups, and treats low response as a reason to increase volume is borrowing against trust.

The 1978 email worked as an event invitation because the audience was technically relevant. It failed as a network act because the channel had not consented to that use. Modern senders need to hear both sides of that sentence.

The inbox became a reputation market

Email delivery now works less like a pipe and more like a reputation market. Mailbox providers evaluate sending domains, IP addresses, authentication, complaints, engagement, bounce rates, content signals, link reputation, historical behavior, and user feedback. A sender does not simply “send an email.” A sender enters a trust calculation.

Google’s 2024 bulk sender rules make this explicit. High-volume senders to Gmail need authentication, easy unsubscribe, and low spam complaints. Google’s sender guidelines require SPF or DKIM for all senders and SPF, DKIM, and DMARC for bulk senders. Microsoft’s 2025 Outlook requirements move in the same direction with mandatory SPF, DKIM, and DMARC for high-volume senders.

This matters for news publishers, ecommerce companies, SaaS firms, nonprofits, political campaigns, and agencies. Deliverability is not a back-office setting. It affects revenue, customer support, retention, security, and brand trust. A password reset email that lands in spam is a product problem. A receipt that fails authentication is a finance problem. A newsletter domain burned by aggressive acquisition campaigns is a media problem.

Every sender now has to prove three things: identity, permission, and restraint. Identity says, “This message is really from the domain it claims.” Permission says, “The recipient has a reason to expect this.” Restraint says, “The sender is not abusing frequency, volume, or targeting.” Technical systems verify the first more easily than the other two. User behavior and provider policy infer the rest.

This reputation model is the institutional answer to the old ARPANET community norm. In 1978, users complained and an administrator reprimanded the sender. In 2026, millions of user signals and automated systems apply pressure continuously. The social complaint became machine-readable.

That has benefits and risks. It helps block abuse at scale. It also gives major providers enormous gatekeeping power over speech, commerce, and organizational communication. A false positive can suppress legitimate mail. A poorly configured domain can break business operations. A policy change by Gmail or Outlook can force urgent technical work across thousands of companies.

The reputation market is therefore both necessary and uncomfortable. It is necessary because open delivery invites abuse. It is uncomfortable because private infrastructure now enforces rules that affect public communication.

The business lesson is permission, not just compliance

Marketers sometimes treat compliance as a checklist: physical address, unsubscribe link, honest subject line, proper headers. Those items matter. The FTC guide lists them clearly, and failure can be costly. Yet a checklist alone does not protect inbox trust.

Permission is wider than a legal standard. It includes how the address was collected, what the person was told, how often the sender writes, whether the content matches the expectation, whether unsubscribing works, and whether the sender respects silence. The best email programs are built around remembered consent, not forced tolerance.

Thuerk’s email shows the difference. The recipients were relevant. The product was real. The message was arguably useful to some. But the network’s users had not agreed that their directory entries were fair game for commercial mass invitations. The sender treated address availability as permission. That mistake has been repeated ever since.

Modern data tools make the mistake easier. People publish work emails on websites, LinkedIn profiles, conference pages, GitHub repositories, university directories, procurement records, and press pages. Sales databases compile and enrich those addresses. Automation platforms sequence messages. None of that means the recipient wants the outreach. Public visibility is not consent.

For publishers and brands, permission also protects editorial credibility. A trusted newsletter is not just a delivery channel. It is a relationship. Readers open it because they expect a certain kind of value and voice. If that list becomes overloaded with promotions, partner blasts, irrelevant offers, or hidden sponsorships, the sender may remain compliant while losing the audience.

The same applies to B2B marketing. A small, high-intent list often outperforms a large indifferent list because engagement supports deliverability and trust. A sender who burns reputation for short-term lead volume may hurt sales, support, and product communication later.

The strategic lesson from 1978 is not that businesses should avoid email. It is that email’s power depends on restraint. The sender’s right question is not “Can we send this?” but “Will the recipient recognize why they received it, trust who sent it, and feel in control after opening it?”

The security lesson is identity alone cannot solve unwanted mail

SPF, DKIM, and DMARC are crucial, but they do not solve spam by themselves. They authenticate domains and policies. They do not guarantee truth, quality, safety, consent, or relevance. A perfectly authenticated email can still be unwanted. A signed message can still be a scam if the sender’s account was compromised or if the domain itself was created for fraud.

Research on email sender spoofing underscores this point. A 2020 large-scale analysis found that the email authenticity chain spans protocols, roles, and services, and that inconsistencies can create bypass opportunities against SPF, DKIM, DMARC, and user-interface protections. A 2023 study of forwarding mechanisms found that automated forwarding and mailing list behavior can break assumptions in anti-spoofing protocols and create spoofing risks across prominent providers and sensitive domains.

These studies do not mean authentication is pointless. They mean authentication is part of a layered model. Identity proof reduces one class of abuse; it does not certify intent. A domain can be authenticated and still send junk. A real mailbox can be compromised and used for fraud. A lookalike domain can pass authentication for itself while impersonating a brand visually. A legitimate cloud service can host malicious landing pages.

This is why modern filters combine signals. They look at authentication results, domain age, IP history, link destinations, attachment behavior, user reports, sending volume, conversation history, language patterns, and organizational context. Enterprise security tools add sandboxing, URL rewriting, attachment detonation, impersonation detection, executive name matching, and behavioral baselines.

The human layer remains part of defense, but it should not be the only layer. Telling users to “spot phishing” is not enough when attackers use compromised accounts, legitimate services, and polished language. Users need report tools, clear warnings, process checks for payments, phishing-resistant authentication, and systems that block or flag suspicious messages before the click.

The 1978 case was simple because the sender was obvious and the offense was social. Modern email abuse is harder because identity, intent, and infrastructure can be split. A message may look like it comes from a trusted sender, pass some checks, fail others, and still ask for a dangerous action. The defense must handle ambiguity at speed.

The public policy lesson is that opt-out came too late for many users

CAN-SPAM’s opt-out model gives recipients the right to stop future commercial messages from a sender. The FTC says opt-out mechanisms must work for at least 30 days after sending and that senders must honor requests within 10 business days. This is a real protection. It is also reactive. The unwanted message arrives first; the recipient’s control comes after.

An opt-in model reverses that order. The sender needs consent before sending marketing email. Many jurisdictions and sectors use stricter consent rules than CAN-SPAM. The global email environment therefore operates across different legal cultures: U.S. commercial email rules, European privacy rules, telecom and messaging rules, platform policies, and industry standards. Senders with international audiences often need a stricter internal standard than the minimum U.S. rule.

The policy trade-off is familiar. Opt-out systems favor business reach and prospecting. Opt-in systems favor recipient control and trust. The cost of opt-out is inbox clutter and burden on recipients. The cost of opt-in is reduced cold access for legitimate new businesses, recruiters, civic groups, and publishers. There is no frictionless answer because email is both a commercial channel and a personal workspace.

The direction of provider policy is moving closer to opt-in discipline even where law permits opt-out outreach. Google’s complaint thresholds and unsubscribe requirements punish senders that recipients reject. Outlook’s high-volume rules require authentication. Bulk senders that rely on weak consent may comply with law but still lose inbox placement.

This private enforcement changes the policy balance. A sender may ask, “Is it legal?” The inbox provider asks, “Do recipients want it?” Those are different tests. In practice, the provider test often matters more because a lawful message that never reaches the inbox has little commercial value.

The 1978 ARPANET backlash was the earliest version of that recipient-centered test. Users did not parse statutory requirements. They judged the message against the channel’s purpose. Modern spam buttons perform the same function at scale. They turn user irritation into a delivery signal.

The technical story is also a story about governance

Networks are governed through code, standards, contracts, policies, institutions, norms, and enforcement. ARPANET’s early governance leaned heavily on community norms and technical stewardship. The modern email ecosystem leans on standards bodies, mailbox providers, regulators, security vendors, anti-abuse groups, domain registries, DNS operators, and user feedback.

The Internet Society’s history emphasizes the role of open RFC documentation in internet growth, noting that free access to specifications supported education, implementation, and coordination. That openness allowed email to spread. It also meant that fixing email abuse had to happen in public, interoperable layers rather than through one company’s closed redesign.

M3AAWG, the Messaging, Malware and Mobile Anti-Abuse Working Group, now publishes best practices and policy guidance for fighting messaging abuse, malware, and mobile threats. NIST has supported work around email authentication testing, while the IETF defines and maintains the RFCs that specify SPF, DKIM, DMARC, and SMTP behavior.

This governance is distributed because email is distributed. There is no single email company that can impose a universal rewrite. Gmail can set rules for Gmail inboxes. Microsoft can set rules for Outlook. A government can regulate messages under its jurisdiction. A domain owner can publish DMARC policy. A receiving server can reject. A user can report. A sender can improve practices. Each actor controls a piece.

Spam exists in the gaps between those pieces. A bad actor may send from one country, host links in another, use a domain registered through a third, route mail through compromised infrastructure, and target recipients worldwide. Legal jurisdiction, technical attribution, and provider enforcement rarely line up perfectly.

The first spam email, by contrast, happened inside a much smaller governance world. The sender was identifiable. The network was limited. Complaints could reach administrators. That simplicity disappeared as email globalized. The lesson is not nostalgia. Small trusted networks cannot support global communication. The lesson is that governance must scale with reach, or abuse will scale faster.

The media memory of the first spam email is useful but incomplete

The Thuerk story is often retold as a quirky internet anniversary: one marketer, one early network, one annoying message, then decades of spam. That version is memorable, but it risks making the event sound like a novelty. The deeper story is about the first collision between direct marketing and networked attention.

Computer History Museum frames the event as the earliest known case of spam and notes the negative reaction. Guinness World Records preserves the date, time, sender, employer, count, and product demonstration details. The New Yorker places it in the longer story of junk email economics and later botnet-driven abuse. Templeton’s work separates the 1978 act from the later naming of spam and the 1994 Usenet explosion.

Each source supplies a different layer. The museum gives the landmark. Guinness gives record-style precision. Templeton gives culture and terminology. The New Yorker gives narrative and economics. RFC 706 gives the technical warning that preceded the event. The IETF RFCs give the later engineering response. The FTC and Congress give the legal response. Gmail and Outlook give the current provider response.

The first spam email is best understood as a case study, not a birthday. It shows how technological affordances become social conflicts, how commercial incentives test community norms, how user complaints become governance pressure, and how weak identity and low sending costs create long-term abuse.

This matters for journalists and publishers because “firsts” often flatten history. A clean anniversary story may attract clicks, but the richer account gives readers a useful model. Thuerk was not a cartoon villain. ARPANET was not the modern internet. The message was not phishing. The word spam came later. The harm was real but small compared with today’s fraud. The lesson sits in the mechanism, not the drama.

The mechanism is simple enough to state: when communication costs collapse for senders but not for recipients, unwanted messages multiply unless the system adds consent, authentication, reputation, and enforcement.

Lessons for brands still using email in 2026

Email remains one of the strongest owned channels for brands, publishers, SaaS companies, ecommerce stores, agencies, and communities. It does not depend on a social platform feed, and it reaches people in a workspace they still check. That power is exactly why the standards are rising. Brands cannot treat inbox access as an entitlement.

The first lesson is technical hygiene. Domains need SPF, DKIM, and DMARC configured correctly. Bulk senders need alignment. Sending services must be authorized. Subdomains should be separated by mail stream: marketing, transactional, corporate, and support. Bounce handling should be clean. Complaint monitoring should be active. Unsubscribe must work. These are not optional details for serious senders anymore; Google and Microsoft have moved authentication from advice into enforcement for high-volume senders.

The second lesson is list quality. Purchased, scraped, or stale lists carry risk. They produce bounces, spam complaints, low engagement, and potential legal exposure. Smaller lists with clear consent beat inflated databases that damage reputation. A sender’s worst addresses often define its deliverability.

The third lesson is expectation. A reader who signed up for product updates may not want daily partner promotions. A customer who bought once may not want months of unrelated offers. A conference attendee may accept event logistics but reject sponsor blasts. Permission has scope. Violating that scope may not always break law, but it breaks trust.

The fourth lesson is content honesty. Subject lines should match the message. Sender names should be recognizable. Personalization should not pretend to be a relationship that does not exist. Artificial familiarity may lift short-term opens but raise complaints and distrust.

The fifth lesson is restraint. Frequency is a trust decision. Every campaign consumes attention. Brands often measure what they send and what they earn, but they undercount what they spend: audience patience. Email marketing works when recipients believe the sender is careful with their inbox.

Thuerk’s campaign is a warning because it was plausible. That is why it still applies. The most dangerous email mistakes are not always absurd scams. They are rational business choices that ignore recipient control.

Lessons for security teams defending the inbox

Security teams should read the Thuerk story as the origin of a control problem: a trusted communication channel allowed a sender to reach many people without strong recipient-side refusal. The modern version is much harder because senders may be anonymous, compromised, or technically authenticated while still malicious.

The first security lesson is to protect identity at the domain level. SPF, DKIM, and DMARC should be deployed, monitored, and moved toward stricter policy where safe. DMARC reporting should be reviewed, not just enabled. Third-party senders should be inventoried. Shadow email platforms should be removed or authenticated. A domain that is not actively governed becomes an impersonation surface.

The second lesson is to protect human workflows. Business email compromise often succeeds not because the email server fails, but because a process allows a payment change, gift card purchase, payroll update, or credential reset based on a message. High-risk actions need out-of-band verification, role-based approvals, and clear escalation paths. Email should not be the only proof for money movement.

The third lesson is to reduce inbox ambiguity. Security banners, external sender tags, impersonation warnings, and report buttons should be clear, but not so noisy that users ignore them. False positives weaken trust in warnings. Good security design makes the unusual visible without turning every message into an alarm.

The fourth lesson is to train on behavior, not trivia. Users do not need folklore about bad grammar. They need to recognize unsafe requests: urgent payment changes, unexpected attachments, credential prompts, QR codes leading to login pages, OAuth consent screens, unusual file shares, and pressure to bypass normal process.

The fifth lesson is to measure what gets through. A blocked-message dashboard is useful, but delivered phishing is the sharper metric. Recent research on enterprise phishing infrastructure found that a large share of phishing can originate from reputable networks, which helps explain why static blocklists alone miss attacks.

The inbox should be treated as an attack surface, not merely a productivity tool. Thuerk’s email triggered annoyance. Modern malicious mail can trigger breach, fraud, and operational disruption.

Lessons for journalists covering spam anniversaries

The first spam email is a good story because it is concrete: a named person, a date, a network, a company, a product, and a reaction. It is also easy to oversimplify. Journalists should avoid three traps.

The first trap is calling it the first email spam without qualification. A better phrase is the first widely documented commercial spam email on ARPANET. That leaves room for earlier unwanted electronic messages and for RFC 706’s 1975 warning about junk mail.

The second trap is treating Thuerk as the inventor of all spam. He did not invent phishing, botnets, malware campaigns, spoofing, or the term “spam.” He used an available network to send an unsolicited commercial message. The later industry of spam came from different actors, bigger incentives, wider access, and weaker accountability.

The third trap is making the event cute. A quirky anniversary angle can miss the serious continuity: cheap sender-side distribution, weak refusal mechanisms, social backlash, and delayed governance. Those are still live issues in AI-generated outreach, synthetic voice scams, messaging platform abuse, social media spam, and notification overload.

Good coverage should also correct “APARNET” to ARPANET without mocking the error. Many readers know the rough story but not the acronym. ARPANET was the Advanced Research Projects Agency Network, a predecessor of the internet. DARPA’s historical account places its first computer-to-computer signal in 1969, while later histories explain how electronic mail became one of the network’s defining applications.

The story should separate fact from uncertainty. The date May 3, 1978 is well supported. The recipient count varies across sources. The role of DEC is clear. The product family is clear. The negative reaction is well documented. The sales impact is reported in later accounts but should be attributed with care.

A precise version of the story is more interesting than the myth. It shows that spam began not with absurdity, but with a believable business decision made inside a network that had not yet built the defenses its own success would require.

AI brings the spam problem back to language itself

Generative AI changes spam in a way that reaches back to the oldest defenses. Many filters once relied heavily on text signals: repeated phrases, suspicious vocabulary, misspellings, unusual formatting, and known templates. Attackers adapted with obfuscation, images, polymorphic text, and compromised infrastructure. AI adds cheap variation with better grammar and more plausible context.

A phishing message no longer needs to be badly written. It can match a company’s tone, use industry jargon, reference public events, and produce many versions of the same lure. A sales spammer can generate thousands of personalized openers from scraped profiles. A fraudster can localize scams across languages. The old user advice — “look for spelling mistakes” — is now weak.

Academic work on AI-based phishing warns that automatically generated messages can differ from one victim to another, reducing the value of simple pattern matching, while also creating new features that detectors can learn. This is the next stage of the same arms race The New Yorker described in earlier forms: filters adapt, spammers adapt, defenders adapt again.

AI also blurs the line between spam and legitimate marketing. Many brands now use AI to draft subject lines, segment audiences, write outreach, and personalize messages. The technology is not inherently abusive. The risk is scale without judgment. If AI makes it cheap to send “personalized” cold email to millions of people, the recipient experience may get worse even when each message sounds more human.

The future spam problem may be less about ugly messages and more about synthetic relevance. A message can mention your role, company, article, city, or technology stack and still be mass-generated interruption. Recipients may become more suspicious of personalization, not less, if it feels extracted rather than earned.

For marketers, the answer is not to avoid AI writing tools. It is to keep human accountability for consent, targeting, frequency, and truth. For security teams, the answer is to rely less on surface language and more on identity, behavior, link analysis, process controls, and anomaly detection.

Thuerk’s 1978 email was manually awkward by today’s standards. AI makes the next Thuerk-style pitch smoother, cheaper, and more scalable. That raises the same old question in sharper form: just because a sender can reach someone convincingly, should they?

The spam folder is a social compromise disguised as a feature

The spam folder feels ordinary now. It is not. It represents a negotiated failure. The system cannot fully prevent unwanted messages from arriving, and it cannot risk deleting every suspicious message outright, so it creates a holding area. The spam folder says: “We think this is unwanted or unsafe, but we might be wrong.”

That compromise reflects email’s core tension. People need reliable delivery for legitimate messages. Providers need to protect users from abuse. Senders need a path to reach subscribers and customers. Attackers exploit any gap. A hard rejection model would block more abuse but risk losing legitimate mail. A permissive model would preserve reach but drown users. The spam folder sits between those extremes.

Thuerk’s recipients did not have a modern spam folder. They had their inboxes, their norms, and their ability to complain. Modern users have filters, categories, quarantine, block buttons, and unsubscribe tools. Yet the burden remains. Users still check spam folders for missing password resets. Companies still ask customers to “check your junk folder.” Security teams still worry about malicious messages that reach the inbox and legitimate messages that get trapped.

The spam folder is evidence that email never solved consent at the door. It sorts after the sender has already attempted delivery. Provider-level rejection is growing, especially for unauthenticated or noncompliant bulk mail, but quarantine remains a central part of the system.

This has business impact. Deliverability is not binary. A message can be accepted by the receiving server but placed in spam. It can land in a promotions tab rather than the primary inbox. It can be clipped, warned, delayed, or hidden behind images-off defaults. A marketer who measures only “sent” or “delivered” may misunderstand actual attention.

The spam folder also affects user psychology. It trains people to distrust unknown senders and to expect that some legitimate messages may be misplaced. That distrust is rational. It is also costly. It makes cold outreach harder, customer support noisier, and digital communication less certain.

In 1978, one unsolicited email prompted direct complaints. In 2026, billions of unwanted messages are absorbed by automated sorting systems before users see them. The complaint moved from a human message to a button, a model, and a folder.

The first spam email exposed the difference between reach and relationship

Reach is the ability to get a message in front of someone. Relationship is the reason they accept it. Spam begins when senders confuse the two. Thuerk had reach through ARPANET addresses. He did not have a relationship with every recipient. That gap created backlash.

Modern tools widen the gap. Data brokers, scraping tools, enrichment APIs, marketing automation, and AI copy systems produce the illusion of relationship. A sender can know a person’s title, employer, stack, funding round, hiring status, or recent post. That knowledge may improve targeting, but it does not create consent. It may even feel more invasive.

The inbox rewards relationship more than reach because recipients control the final judgment. They open, ignore, delete, report, unsubscribe, block, or reply. Providers observe those choices. Reputation follows.

This is why publishers with loyal newsletters can outperform brands with huge purchased lists. It is why a plain-text note from a known person can beat a polished campaign from an unknown sender. It is why transactional messages usually get better inbox placement than promotional blasts. The recipient’s expectation changes the meaning of the message.

Relationship also explains why frequency is not universal. A daily briefing may be welcome from a trusted news source. A daily sales email from a software vendor may feel oppressive. A weekly product update may be fine for active users and irrelevant for dormant leads. Spam perception depends on the promise made at signup and the value delivered afterward.

The first spam email did not fail because nobody cared about DEC systems. Some recipients likely did. It failed because the sender’s reach exceeded the relationship. That is the cleanest ethical reading of the event.

For organizations, this means email strategy should begin before the campaign. It begins at address collection: what was promised, how was consent recorded, what category of mail was expected, and how will the recipient control future contact? If those questions are weak, copywriting cannot fix the trust gap.

The first spam email still matters for Google News and search-era publishing

For publishers covering technology history, the Thuerk story is a strong evergreen news analysis topic because it connects a dated event to current reader concerns: spam, phishing, email marketing, cybercrime, inbox rules, AI-generated outreach, and internet governance. It has named entities, clear dates, authoritative sources, and practical relevance. Those traits matter for search visibility and answer-engine retrieval.

But the piece must avoid thin nostalgia. A short “on this day” note will compete with many similar summaries. A stronger article explains mechanisms: ARPANET’s trust culture, DEC’s business motive, Postel’s junk mail warning, the later naming of spam, the CAN-SPAM legal framework, email authentication, provider rules, AI phishing, and current business lessons. That semantic breadth helps both human readers and retrieval systems.

The article’s strongest search answer is simple: Gary Thuerk sent the first widely documented commercial spam email on May 3, 1978, over ARPANET, promoting DEC’s DECSYSTEM-20 family to roughly 400 recipients. The deeper value is explaining why that one message still predicts the inbox’s problems.

Search engines and AI answer systems favor extractable facts backed by sources. This story has strong anchors: Computer History Museum for the event, Guinness for record details, RFC 706 for prior technical concern, DARPA and Internet Society for ARPANET history, FTC and Congress for law, IETF RFCs for authentication standards, Google and Microsoft for current provider rules, and FBI/CISA for modern threat context. Those sources let the article avoid folklore.

For Google Discover, the angle should be human but not sensational. “The first spam email was a business pitch” is surprising without being clickbait. “Gary Thuerk still explains the spam problem” connects history to the present. The story works because readers recognize the annoyance and risk of unwanted email immediately.

For AI Overviews and answer engines, definitions should be direct. The article should state that ARPANET, not “APARNET,” was the network. It should distinguish spam from phishing. It should explain SPF, DKIM, and DMARC in concise terms. It should note that the term “spam” came later. It should give the best-supported date while acknowledging count differences.

This is not SEO padding. It is editorial clarity. A historically precise article serves readers better and gives retrieval systems cleaner facts.

The unresolved issue is consent at scale

Every major stage of anti-spam history has tried to answer one question: how can a system carry wanted messages at scale without becoming a free-fire zone for unwanted ones? ARPANET norms answered through community pressure. RFC 706 imagined technical refusal. CAN-SPAM answered through sender duties and opt-out rights. SPF, DKIM, and DMARC answered through domain authentication and policy. Gmail and Outlook answer through enforced sender requirements and reputation. Security teams answer through layered detection. Users answer through spam reports.

None of these answers is complete. Consent is hard at scale because people change jobs, abandon accounts, forget signups, share addresses, use aliases, forward mail, join organizations, attend events, and interact with brands across many systems. Senders merge databases, change vendors, acquire companies, add partner programs, and automate campaigns. Attackers compromise legitimate accounts and domains. The consent state of an address is not always obvious to the system that sends the next message.

The inbox needs proof of identity, but it also needs proof of expectation. Identity is easier to encode than expectation. DNS can publish authorized senders. It is much harder for a DNS record to prove that a recipient wanted this specific message at this specific frequency for this specific purpose.

Some systems attempt pieces of that proof: list-unsubscribe headers, preference centers, double opt-in, consent logs, feedback loops, engagement scoring, and complaint thresholds. These tools are useful, but they remain indirect. They infer expectation from behavior and records.

The future may bring stronger consent signals, better personal agents, stricter provider policies, and more automated negotiation between senders and recipients. It may also bring more abuse through AI, compromised accounts, and cross-channel scams. The old tension will remain: communication gets value from openness, while abuse exploits openness.

Thuerk’s message is a clean early case because it lacked the layers that now obscure the issue. A sender wanted reach. Recipients wanted respect for the channel. The network lacked a mature way to reconcile those interests. That is still the unresolved issue, even after decades of filters.

The 1978 event in context

The first spam email did not happen in isolation. It sits among milestones in networking, email, spam terminology, law, and authentication. The timeline below keeps the story precise without turning it into folklore.

Milestones from ARPANET email to modern inbox rules

The timeline shows that spam was never only a user nuisance. It moved through the technical, cultural, legal, and commercial layers of the internet. Each milestone answered a previous failure while revealing a new one.

The practical standard for ethical email is higher than the legal minimum

A serious sender in 2026 should not aim merely to avoid penalties. The better standard is: the recipient should understand who sent the message, why they received it, what value it carries, how often similar messages will arrive, and how to stop them. That standard is stricter than many laws but closer to how inbox providers and users judge mail.

Ethical email has five traits.

First, the sender is recognizable. The From name, domain, branding, and reply path match the relationship. Hidden senders and confusing aliases increase suspicion.

Second, the address source is legitimate. The recipient signed up, bought something, requested information, joined an event, or has a clear professional connection. The sender can explain the source without embarrassment.

Third, the content matches the expectation. A security alert is not disguised marketing. A newsletter does not become a daily sales funnel without warning. A webinar follow-up does not become permanent prospecting without consent.

Fourth, refusal is easy. Unsubscribe links work. Preference centers are clear. Replies are monitored where appropriate. Opt-outs are honored quickly and completely. The FTC’s requirement to honor opt-outs within 10 business days should be treated as a maximum, not a target.

Fifth, the sender monitors harm. Complaints, unsubscribes, low engagement, and support replies are not annoyances to suppress. They are feedback. They tell the sender whether reach has outgrown relationship.

The ethical line is crossed when the sender treats the inbox as inventory rather than a person’s working space. That was the mistake in 1978, even if the sender believed the message was useful. It remains the mistake behind bad outreach, list buying, deceptive newsletter growth, and aggressive automated sales sequences.

A brand that follows the higher standard gains more than moral comfort. It protects deliverability, reduces security suspicion, improves engagement, and builds long-term audience value. In email, trust is not soft. It is infrastructure.

The first spam email was small, but the pattern became enormous

A few hundred ARPANET recipients are a rounding error beside modern email volume. Gmail alone says it blocks nearly 15 billion unwanted emails each day. The scale difference is staggering, but the pattern is familiar. Low sending cost, weak recipient consent, and uneven identity proof create room for abuse.

The growth of spam also shows how small social breaches can become industrial problems when technology scales. Thuerk’s message needed a directory, a mail program, and manual effort. Later spammers used scripts, open relays, bulk mailing tools, botnets, compromised accounts, and cloud infrastructure. The invention was not one message; it was the discovery that the cost of reaching strangers had collapsed.

Once that discovery spread, filters became mandatory. The New Yorker’s 2007 report described spam as a massive daily burden and traced the rise of botnets and evolving evasion tactics. Modern providers now deploy machine learning, reputation systems, authentication checks, and massive abuse teams. Spam did not disappear because each new defense changed attacker behavior rather than removing the incentive.

The fight against spam is not a campaign with an end date. It is maintenance on a global trust system. Roads need traffic rules. Markets need fraud enforcement. Email needs anti-abuse controls. The need does not signal failure; it reflects scale.

Yet the first spam email also offers a hopeful point. Users objected immediately. Engineers had already thought about refusal. Communities developed vocabulary. Standards emerged. Laws were passed. Providers tightened rules. The internet did not ignore the problem. It struggled with it continuously.

The unresolved question is whether the next wave — AI-generated, highly personalized, cross-channel, and identity-aware spam — will outrun today’s controls. The answer depends on whether senders, providers, regulators, and users keep raising the cost of abuse while preserving the openness that makes email useful.

A sharper reading of Gary Thuerk’s legacy

Gary Thuerk is often called the father of spam. The label is catchy but incomplete. It overstates individual agency and understates system design. Thuerk did not create the conditions that made spam possible. He used them. Those conditions were cheap distribution, weak refusal, available address lists, and a culture still forming its rules for networked communication.

His legacy is therefore less about blame than about warning. He showed that a channel built for collaboration could be used for promotion. He showed that relevance in the sender’s mind does not equal permission in the recipient’s mind. He showed that a single message could produce both business results and community anger. He showed that the economics of email would always tempt people to push past norms.

The first spam email was not an accident in the history of email. It was an early disclosure of email’s central weakness. The inbox is powerful because it accepts messages from outside. It is vulnerable for the same reason.

A mature reading also avoids romanticizing the pre-spam internet. ARPANET was small, exclusive, and publicly funded. Its trust culture did not scale automatically to a global network of billions of users, businesses, criminals, governments, activists, and platforms. Abuse was not caused only by commercialization; it was enabled by openness meeting scale.

That is why the answer is not nostalgia. Nobody can return email to a closed research community. The answer is better governance of openness: stronger authentication, clearer consent, better user controls, sharper enforcement, safer defaults, and business practices that value trust over short-term reach.

Thuerk’s email remains worth writing about because it is a compact origin story for a problem that still shapes daily life. Every spam folder, unsubscribe link, DMARC report, phishing simulation, Gmail rejection, Outlook sender rule, and CAN-SPAM compliance checklist carries a trace of that moment.

The answer for the next era is disciplined openness

Email’s value comes from the fact that people and organizations can reach each other across systems. That openness should not be discarded. Closed messaging platforms bring their own problems: gatekeeping, surveillance, lock-in, moderation opacity, and broken interoperability. Email remains resilient because no single company owns it.

The task is to make openness disciplined. That means senders must prove identity, earn permission, respect frequency, and accept refusal. Providers must block abuse without burying legitimate communication. Regulators must punish deception without criminalizing ordinary contact. Standards bodies must improve authentication without breaking the messy realities of forwarding and mailing lists. Users must have controls that are easy enough to use and strong enough to matter.

This is hard work because email is old, global, and economically important. But the direction is clear. Gmail’s bulk sender rules, Microsoft’s high-volume requirements, DMARC adoption, phishing-resistant authentication, and better complaint feedback all push toward a more accountable inbox.

The risk is that accountability becomes concentrated only in the hands of a few giant providers. If Gmail, Outlook, Yahoo, and Apple become the de facto lawmakers of email, smaller senders and independent publishers may face opaque enforcement. The answer is not weaker rules. It is clearer rules, open standards, transparent diagnostics, and sender tools that let legitimate organizations comply without guesswork.

The future of email depends on preserving reach while restoring recipient control. That is the sentence Thuerk’s 1978 message leaves behind. Reach without control becomes spam. Control without reach becomes isolation. The internet has been negotiating between those poles since ARPANET.

The durable meaning of the first spam email

The first widely documented commercial spam email was a DEC product invitation sent by Gary Thuerk over ARPANET on May 3, 1978. It promoted real computers to technically relevant recipients. It also annoyed enough people to become a landmark in internet history. The event is small in volume, but large in meaning.

It matters because it reveals the inbox’s basic bargain. Email gives senders extraordinary access. In return, senders must respect identity, consent, context, and restraint. When they do not, recipients, providers, laws, and filters push back.

The story also reminds us that spam is not only a technical category. It is a social judgment, a business temptation, a legal subject, a security risk, and a governance challenge. Thuerk’s message sits at the center of those meanings because it appeared before the vocabulary and defenses were ready.

The cleanest lesson is this: the ability to send a message is not the same as the right to occupy someone’s attention. ARPANET users understood that in 1978. Modern inbox providers encode it in reputation systems. Regulators encode it in opt-out rights and anti-deception rules. Security teams encode it in authentication and filtering. Readers encode it every time they click “report spam.”

The first spam email did not create the modern spam crisis by itself. It exposed the conditions that made the crisis possible. Those conditions still exist whenever a new technology lets one sender reach many people cheaply, personally, and without asking first.

Reader questions about the first spam email and the spam problem

Author:
Jan Bielik
CEO & Founder of Webiano Digital & Marketing Agency

This article is an original analysis supported by the sources cited below

May 3 Earliest known case of spam
Computer History Museum’s entry identifying Gary Thuerk’s May 3, 1978 DEC message as the earliest known case of spam and describing the negative reaction.

Oldest electronic spam
Guinness World Records entry giving the date, timestamp, sender, employer, recipient count, and DEC product demonstration details for the oldest electronic spam record.

RFC 706 On the junk mail problem
Jon Postel’s 1975 RFC explaining the ARPANET junk mail problem and the lack of a selective refusal mechanism for unwanted messages.

Reaction to the DEC spam of 1978
Brad Templeton’s historical page collecting context and reactions around the DEC ARPANET spam incident.

Origin of the term spam to mean net abuse
Brad Templeton’s account of how “spam” became associated with repeated online abuse and how the term spread through online communities.

ARPANET
DARPA’s historical feature explaining ARPANET’s origin, early nodes, and first computer-to-computer signal on October 29, 1969.

A brief history of the Internet
Internet Society history by key internet pioneers covering packet switching, ARPANET, RFC culture, email, commercialization, and internet governance.

The first message transmission
ICANN historical article on the first ARPANET message and the early steps that led to networked communication.

Invention of the today so-called e-mail
Eduard Rhein Foundation page describing Ray Tomlinson’s 1971 network email and the early prominence of email traffic on ARPANET.

RFC 821 Simple Mail Transfer Protocol
Original 1982 SMTP specification by Jon Postel, relevant to the later technical foundations of internet email transport.

RFC 5321 Simple Mail Transfer Protocol
IETF specification consolidating and updating SMTP for contemporary internet mail transport.

RFC 7208 Sender Policy Framework
IETF standard describing SPF and the authorization of hosts allowed to send mail for a domain.

RFC 6376 DomainKeys Identified Mail signatures
IETF standard describing DKIM signatures and domain-linked cryptographic responsibility for email messages.

RFC 7489 Domain-based Message Authentication Reporting and Conformance
IETF informational RFC describing DMARC policies, reporting, and handling of messages that fail authentication checks.

Email authentication mechanisms DMARC SPF and DKIM
NIST publication page describing email authentication mechanisms and NIST’s work around SPF, DKIM, and DMARC testing.

CAN-SPAM Act compliance guide for business
Federal Trade Commission guide explaining commercial email duties, opt-out rights, penalties, and sender responsibility under CAN-SPAM.

S.877 CAN-SPAM Act of 2003
Congress.gov record for the CAN-SPAM Act of 2003, including legislative status, public law date, and congressional summary.

New Gmail protections for a safer less spammy inbox
Google announcement of bulk sender requirements, authentication expectations, easy unsubscribe rules, and Gmail anti-spam protections.

Email sender guidelines
Google Workspace Admin Help page detailing sender requirements for SPF, DKIM, DMARC, authentication, infrastructure, and bulk sending.

Strengthening email ecosystem Outlook’s new requirements for high-volume senders
Microsoft Community Hub post describing Outlook’s stricter high-volume sender requirements and mandatory authentication standards.

FBI releases annual Internet Crime Report
FBI press release summarizing the 2024 IC3 Internet Crime Report, complaint volume, and reported losses from suspected internet crime.

Recognize and report phishing
CISA guidance defining phishing and explaining how harmful emails, links, and attachments are used to steal information or infect devices.

Reducing spam
CISA guidance for reducing spam exposure and managing unwanted email risk.

Best practices
M3AAWG public best-practice library covering messaging abuse, malware, mobile abuse, and email ecosystem protection.

Damn spam
The New Yorker’s long-form feature connecting the 1978 Thuerk message to the economics and escalation of junk email.

May 1 1978 spam from novelty to nuisance in a couple of decades
Wired’s historical article on the writing and sending of the first unsolicited bulk email and its later significance.

The typing error that gave us thirty years of spam
The Guardian’s historical account of Thuerk’s DEC message, SNDMSG use, addressing problems, and preserved product-presentation text.

Systematic literature review anti-phishing defences and their application to before-the-click phishing email detection
Academic review of anti-phishing defenses, detection categories, and before-the-click email security approaches.

Weak links in authentication chains
Academic study examining email sender spoofing attacks and weaknesses across SPF, DKIM, DMARC, and user-interface protections.

Forward pass on the security implications of email forwarding mechanism and policy
Academic paper analyzing how forwarding and mailing-list mechanisms can undermine assumptions behind email anti-spoofing protocols.